amadey | ef3f4cfb7e485fde47856c43bd273629d8290d7528ddfea9a3117b0bca3bc875

Analysis

max time kernel
148s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

990KB
MD5

2e12ea085b9a5a8ff4236ec32e618830
SHA1

71549b0b1f814349a0402d6edc2a5c965a7d2f22
SHA256

ef3f4cfb7e485fde47856c43bd273629d8290d7528ddfea9a3117b0bca3bc875
SHA512

0ec9927be474ea92ad27e15828579d769cf5cf37a57254e9af7729bc0093caf33e8f93ff0759b8c280e46f1f0f5219b4dc0e7840e1d282099dd58c8f5d1f2b26
SSDEEP

24576:lyLoM4unS1CK2F3gFx1+PHXpXv8LQm93sKl+y:AuOK2yFyPHXpXv8l3sK

Score

10^/10

amadey redline lino rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lino

176.113.115.145:4125

Attributes

auth_value
ac19251c9237676a0dd7d46d3f536e96

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v7344eM.exetz6541.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7344eM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7344eM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7344eM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7344eM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7344eM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7344eM.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4132-209-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-210-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-212-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-214-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-216-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-218-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-220-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-222-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-224-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-228-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-226-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-230-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-232-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-234-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-236-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-238-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-240-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral2/memory/4132-242-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exey66ng42.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y66ng42.exe

Executes dropped EXE 11 IoCs

Processes:

zap8474.exezap7170.exezap1987.exetz6541.exev7344eM.exew57ag78.exexoGRL55.exey66ng42.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
2384	zap8474.exe
1748	zap7170.exe
4820	zap1987.exe
1436	tz6541.exe
2256	v7344eM.exe
4132	w57ag78.exe
1552	xoGRL55.exe
2316	y66ng42.exe
2160	oneetx.exe
5108	oneetx.exe
4808	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4584 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4584	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6541.exev7344eM.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7344eM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7344eM.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exezap8474.exezap7170.exezap1987.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8474.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7170.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7170.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap1987.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4308 2256 WerFault.exe v7344eM.exe
1400 4132 WerFault.exe w57ag78.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

652 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz6541.exev7344eM.exew57ag78.exexoGRL55.exe

pid process

1436 tz6541.exe
1436 tz6541.exe
2256 v7344eM.exe
2256 v7344eM.exe
4132 w57ag78.exe
4132 w57ag78.exe
1552 xoGRL55.exe
1552 xoGRL55.exe

pid	pid_target	process	target process
4308	2256	WerFault.exe	v7344eM.exe
1400	4132	WerFault.exe	w57ag78.exe

pid	process
652	schtasks.exe

pid	process
1436	tz6541.exe
1436	tz6541.exe
2256	v7344eM.exe
2256	v7344eM.exe
4132	w57ag78.exe
4132	w57ag78.exe
1552	xoGRL55.exe
1552	xoGRL55.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz6541.exev7344eM.exew57ag78.exexoGRL55.exe

description	pid	process
Token: SeDebugPrivilege	1436	tz6541.exe
Token: SeDebugPrivilege	2256	v7344eM.exe
Token: SeDebugPrivilege	4132	w57ag78.exe
Token: SeDebugPrivilege	1552	xoGRL55.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y66ng42.exe

pid process

2316 y66ng42.exe

pid	process
2316	y66ng42.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

tmp.exezap8474.exezap7170.exezap1987.exey66ng42.exeoneetx.execmd.exe

description	pid	process	target process
PID 1796 wrote to memory of 2384	1796	tmp.exe	zap8474.exe
PID 1796 wrote to memory of 2384	1796	tmp.exe	zap8474.exe
PID 1796 wrote to memory of 2384	1796	tmp.exe	zap8474.exe
PID 2384 wrote to memory of 1748	2384	zap8474.exe	zap7170.exe
PID 2384 wrote to memory of 1748	2384	zap8474.exe	zap7170.exe
PID 2384 wrote to memory of 1748	2384	zap8474.exe	zap7170.exe
PID 1748 wrote to memory of 4820	1748	zap7170.exe	zap1987.exe
PID 1748 wrote to memory of 4820	1748	zap7170.exe	zap1987.exe
PID 1748 wrote to memory of 4820	1748	zap7170.exe	zap1987.exe
PID 4820 wrote to memory of 1436	4820	zap1987.exe	tz6541.exe
PID 4820 wrote to memory of 1436	4820	zap1987.exe	tz6541.exe
PID 4820 wrote to memory of 2256	4820	zap1987.exe	v7344eM.exe
PID 4820 wrote to memory of 2256	4820	zap1987.exe	v7344eM.exe
PID 4820 wrote to memory of 2256	4820	zap1987.exe	v7344eM.exe
PID 1748 wrote to memory of 4132	1748	zap7170.exe	w57ag78.exe
PID 1748 wrote to memory of 4132	1748	zap7170.exe	w57ag78.exe
PID 1748 wrote to memory of 4132	1748	zap7170.exe	w57ag78.exe
PID 2384 wrote to memory of 1552	2384	zap8474.exe	xoGRL55.exe
PID 2384 wrote to memory of 1552	2384	zap8474.exe	xoGRL55.exe
PID 2384 wrote to memory of 1552	2384	zap8474.exe	xoGRL55.exe
PID 1796 wrote to memory of 2316	1796	tmp.exe	y66ng42.exe
PID 1796 wrote to memory of 2316	1796	tmp.exe	y66ng42.exe
PID 1796 wrote to memory of 2316	1796	tmp.exe	y66ng42.exe
PID 2316 wrote to memory of 2160	2316	y66ng42.exe	oneetx.exe
PID 2316 wrote to memory of 2160	2316	y66ng42.exe	oneetx.exe
PID 2316 wrote to memory of 2160	2316	y66ng42.exe	oneetx.exe
PID 2160 wrote to memory of 652	2160	oneetx.exe	schtasks.exe
PID 2160 wrote to memory of 652	2160	oneetx.exe	schtasks.exe
PID 2160 wrote to memory of 652	2160	oneetx.exe	schtasks.exe
PID 2160 wrote to memory of 1008	2160	oneetx.exe	cmd.exe
PID 2160 wrote to memory of 1008	2160	oneetx.exe	cmd.exe
PID 2160 wrote to memory of 1008	2160	oneetx.exe	cmd.exe
PID 1008 wrote to memory of 3884	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 3884	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 3884	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 2404	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 2404	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 2404	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 820	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 820	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 820	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 3304	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 3304	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 3304	1008	cmd.exe	cmd.exe
PID 1008 wrote to memory of 3300	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 3300	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 3300	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 1016	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 1016	1008	cmd.exe	cacls.exe
PID 1008 wrote to memory of 1016	1008	cmd.exe	cacls.exe
PID 2160 wrote to memory of 4584	2160	oneetx.exe	rundll32.exe
PID 2160 wrote to memory of 4584	2160	oneetx.exe	rundll32.exe
PID 2160 wrote to memory of 4584	2160	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8474.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8474.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7170.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7170.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1987.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1987.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6541.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6541.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7344eM.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7344eM.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1084
6⤵
- Program crash
PID:4308

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57ag78.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57ag78.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1368
5⤵
- Program crash
PID:1400

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoGRL55.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoGRL55.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y66ng42.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y66ng42.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3884

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2404

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3304

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:3300

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2256 -ip 2256
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4132 -ip 4132
1⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:4808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y66ng42.exe
Filesize
236KB

MD5
0b9c0aa8e96823a63d18ef89b9fcd230

SHA1
1ed48e3f36ae0e02a723087e972af1c968f90a48

SHA256
f4473241aa4aabf06463752a23205dc1dcf89f0112a4a020907685f8677a749d

SHA512
73cf74cdd4b3b2c1f8d3b3f9870aa2ff2272d885a363d3ea64e48ae83cec5a6df3b414f084f0d7f533b2329719694ad10a7bd690fa5e3d9d08baf7441524271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y66ng42.exe
Filesize
236KB

MD5
0b9c0aa8e96823a63d18ef89b9fcd230

SHA1
1ed48e3f36ae0e02a723087e972af1c968f90a48

SHA256
f4473241aa4aabf06463752a23205dc1dcf89f0112a4a020907685f8677a749d

SHA512
73cf74cdd4b3b2c1f8d3b3f9870aa2ff2272d885a363d3ea64e48ae83cec5a6df3b414f084f0d7f533b2329719694ad10a7bd690fa5e3d9d08baf7441524271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8474.exe
Filesize
806KB

MD5
bb67fccfc21c3e54cc8c544273c8b605

SHA1
d17994eab11733a933a0ef4771bb0a5a6ff6eec7

SHA256
1df8950d28e480e96addb63da4dfa348351ceb06693dc5ad32a993a2f932d985

SHA512
cb749960b6051a0596564eaa36561908caba718765c8723154cef894340966217d15c54d7c27e5a9ae03a7ae1a7992b43b6645e5fd3e8ff88eff5e49e8b70e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8474.exe
Filesize
806KB

MD5
bb67fccfc21c3e54cc8c544273c8b605

SHA1
d17994eab11733a933a0ef4771bb0a5a6ff6eec7

SHA256
1df8950d28e480e96addb63da4dfa348351ceb06693dc5ad32a993a2f932d985

SHA512
cb749960b6051a0596564eaa36561908caba718765c8723154cef894340966217d15c54d7c27e5a9ae03a7ae1a7992b43b6645e5fd3e8ff88eff5e49e8b70e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoGRL55.exe
Filesize
175KB

MD5
670ef908f551c09a3911f65203479519

SHA1
ced37c5e1bfeb21feacaec4d45596b72c755a63b

SHA256
9d58839760cbd091f26535581df8a163120d2faddcd93ce9d4ec4fe1804a298c

SHA512
bf280f99de5aae2ace706e1aa140276f47845551cfbbcef3f2b83da5d6e7ab017d2472d0b712e11eb2eac07d3a3d315786a513a7c7faf0d17e26d7adb5b1621e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoGRL55.exe
Filesize
175KB

MD5
670ef908f551c09a3911f65203479519

SHA1
ced37c5e1bfeb21feacaec4d45596b72c755a63b

SHA256
9d58839760cbd091f26535581df8a163120d2faddcd93ce9d4ec4fe1804a298c

SHA512
bf280f99de5aae2ace706e1aa140276f47845551cfbbcef3f2b83da5d6e7ab017d2472d0b712e11eb2eac07d3a3d315786a513a7c7faf0d17e26d7adb5b1621e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7170.exe
Filesize
664KB

MD5
4718a8d1b301ac72b7b34bd0ab059162

SHA1
7b91d5304f51c1d2d256bdda512077ff346f0185

SHA256
ecf9777fa0820ec0370b4c2b5a128d9aac979a720fa086ed299497b8ec755c78

SHA512
be2e5c1b02211f64b5e254cdb9125539ee221678889d2cf141b73c98b45c97ffc38504699d58bb8453aee50399ff868c9a3047318866c95ba815c19bf4b1690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7170.exe
Filesize
664KB

MD5
4718a8d1b301ac72b7b34bd0ab059162

SHA1
7b91d5304f51c1d2d256bdda512077ff346f0185

SHA256
ecf9777fa0820ec0370b4c2b5a128d9aac979a720fa086ed299497b8ec755c78

SHA512
be2e5c1b02211f64b5e254cdb9125539ee221678889d2cf141b73c98b45c97ffc38504699d58bb8453aee50399ff868c9a3047318866c95ba815c19bf4b1690d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57ag78.exe
Filesize
335KB

MD5
d2ebb64ce9bff578662ede68d07e5586

SHA1
d790546dcd8e67a6ec2fc12004270b5037282711

SHA256
beab3694ed6dd598c9f8a24e566e057a1ad6077ec8c3d51f448abaafb78cdedf

SHA512
7a0a935a8d7f24a4a67dbcbc1240b283fc423da0fd40b28e42b00bfcee3927f96f5a91b33da02bf96198fdc7242ee91574565e2b67141cc788838ca190925587

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w57ag78.exe
Filesize
335KB

MD5
d2ebb64ce9bff578662ede68d07e5586

SHA1
d790546dcd8e67a6ec2fc12004270b5037282711

SHA256
beab3694ed6dd598c9f8a24e566e057a1ad6077ec8c3d51f448abaafb78cdedf

SHA512
7a0a935a8d7f24a4a67dbcbc1240b283fc423da0fd40b28e42b00bfcee3927f96f5a91b33da02bf96198fdc7242ee91574565e2b67141cc788838ca190925587

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1987.exe
Filesize
329KB

MD5
65ef141d83b836ec34b3810affb0ed5a

SHA1
dd26351aeaf03684929fbba2e278a969494e3e77

SHA256
79f0052f28fd90f119815af39f3167d1fe16cfb323a55a0bf9008db4760d4e56

SHA512
c1ed6f482f755ff502967848e79ced61ed08d59d2116a25109e8f3f092375c947f9189669ed8089770d2252980a76d07d2f2b82c34ad78f2af37a11b2975e5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap1987.exe
Filesize
329KB

MD5
65ef141d83b836ec34b3810affb0ed5a

SHA1
dd26351aeaf03684929fbba2e278a969494e3e77

SHA256
79f0052f28fd90f119815af39f3167d1fe16cfb323a55a0bf9008db4760d4e56

SHA512
c1ed6f482f755ff502967848e79ced61ed08d59d2116a25109e8f3f092375c947f9189669ed8089770d2252980a76d07d2f2b82c34ad78f2af37a11b2975e5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6541.exe
Filesize
11KB

MD5
904631ffe48fd2a864d1cd6138207e1b

SHA1
fefb70c115d81c9889206c7b002f1033d272a2d9

SHA256
f68e6b962a0373b328f81d8a4730888da34633b647bb8c173dad9fcf6a42b354

SHA512
4cf53cf479d7a50a88424f32d494b9591e49af7a2536798a315fe6d5378dd7923a0688cd4a712f431f52f01222b05ee24eb5fb214c27a1de89cf19ae30271416

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6541.exe
Filesize
11KB

MD5
904631ffe48fd2a864d1cd6138207e1b

SHA1
fefb70c115d81c9889206c7b002f1033d272a2d9

SHA256
f68e6b962a0373b328f81d8a4730888da34633b647bb8c173dad9fcf6a42b354

SHA512
4cf53cf479d7a50a88424f32d494b9591e49af7a2536798a315fe6d5378dd7923a0688cd4a712f431f52f01222b05ee24eb5fb214c27a1de89cf19ae30271416

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7344eM.exe
Filesize
277KB

MD5
a0fed71401de6b77816e031ea244a0b3

SHA1
8b5039e95489523b1276045d514dcba471507ca7

SHA256
a1c00565a0c123809eb843b528473917257f3a50ab7e913d4da5a5c3cb6a865c

SHA512
8ff3654645409d2ce278fe21f9ce6d562de9410e392b0c0c643dab287a5332200b62925dda33e6b4470237446bd35e1d3b79e408c6f060d40630b519d21011c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7344eM.exe
Filesize
277KB

MD5
a0fed71401de6b77816e031ea244a0b3

SHA1
8b5039e95489523b1276045d514dcba471507ca7

SHA256
a1c00565a0c123809eb843b528473917257f3a50ab7e913d4da5a5c3cb6a865c

SHA512
8ff3654645409d2ce278fe21f9ce6d562de9410e392b0c0c643dab287a5332200b62925dda33e6b4470237446bd35e1d3b79e408c6f060d40630b519d21011c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
0b9c0aa8e96823a63d18ef89b9fcd230

SHA1
1ed48e3f36ae0e02a723087e972af1c968f90a48

SHA256
f4473241aa4aabf06463752a23205dc1dcf89f0112a4a020907685f8677a749d

SHA512
73cf74cdd4b3b2c1f8d3b3f9870aa2ff2272d885a363d3ea64e48ae83cec5a6df3b414f084f0d7f533b2329719694ad10a7bd690fa5e3d9d08baf7441524271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
0b9c0aa8e96823a63d18ef89b9fcd230

SHA1
1ed48e3f36ae0e02a723087e972af1c968f90a48

SHA256
f4473241aa4aabf06463752a23205dc1dcf89f0112a4a020907685f8677a749d

SHA512
73cf74cdd4b3b2c1f8d3b3f9870aa2ff2272d885a363d3ea64e48ae83cec5a6df3b414f084f0d7f533b2329719694ad10a7bd690fa5e3d9d08baf7441524271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
0b9c0aa8e96823a63d18ef89b9fcd230

SHA1
1ed48e3f36ae0e02a723087e972af1c968f90a48

SHA256
f4473241aa4aabf06463752a23205dc1dcf89f0112a4a020907685f8677a749d

SHA512
73cf74cdd4b3b2c1f8d3b3f9870aa2ff2272d885a363d3ea64e48ae83cec5a6df3b414f084f0d7f533b2329719694ad10a7bd690fa5e3d9d08baf7441524271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
0b9c0aa8e96823a63d18ef89b9fcd230

SHA1
1ed48e3f36ae0e02a723087e972af1c968f90a48

SHA256
f4473241aa4aabf06463752a23205dc1dcf89f0112a4a020907685f8677a749d

SHA512
73cf74cdd4b3b2c1f8d3b3f9870aa2ff2272d885a363d3ea64e48ae83cec5a6df3b414f084f0d7f533b2329719694ad10a7bd690fa5e3d9d08baf7441524271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
0b9c0aa8e96823a63d18ef89b9fcd230

SHA1
1ed48e3f36ae0e02a723087e972af1c968f90a48

SHA256
f4473241aa4aabf06463752a23205dc1dcf89f0112a4a020907685f8677a749d

SHA512
73cf74cdd4b3b2c1f8d3b3f9870aa2ff2272d885a363d3ea64e48ae83cec5a6df3b414f084f0d7f533b2329719694ad10a7bd690fa5e3d9d08baf7441524271d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1436-161-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1552-1141-0x0000000000050000-0x0000000000082000-memory.dmp

Filesize
200KB

Download
memory/1552-1142-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/1552-1143-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/2256-204-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/2256-190-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-194-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-196-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-198-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-199-0x0000000000400000-0x0000000002B73000-memory.dmp

Filesize
39.4MB

Download
memory/2256-201-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/2256-203-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/2256-202-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/2256-180-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-178-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-192-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-176-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-170-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/2256-188-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-174-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-171-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-172-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-168-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/2256-169-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/2256-167-0x00000000070F0000-0x0000000007694000-memory.dmp

Filesize
5.6MB

Download
memory/2256-186-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-184-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/2256-182-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/4132-218-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-238-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-240-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-242-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-439-0x0000000002D10000-0x0000000002D5B000-memory.dmp

Filesize
300KB

Download
memory/4132-443-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-441-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-445-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-1119-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4132-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4132-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4132-1122-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4132-1125-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4132-1126-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4132-1127-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-1128-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-1129-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-1130-0x0000000009F40000-0x0000000009FB6000-memory.dmp

Filesize
472KB

Download
memory/4132-1131-0x0000000009FC0000-0x000000000A010000-memory.dmp

Filesize
320KB

Download
memory/4132-1132-0x0000000007170000-0x0000000007180000-memory.dmp

Filesize
64KB

Download
memory/4132-236-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-234-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-232-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-230-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-226-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-228-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-224-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-222-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-220-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-216-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-214-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-212-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-210-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-209-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4132-1133-0x000000000A020000-0x000000000A1E2000-memory.dmp

Filesize
1.8MB

Download
memory/4132-1134-0x000000000A1F0000-0x000000000A71C000-memory.dmp

Filesize
5.2MB

Download